CN109413062A - Fictitious host computer is by the monitor processing method of malicious attack and system, node server - Google Patents

Fictitious host computer is by the monitor processing method of malicious attack and system, node server Download PDF

Info

Publication number
CN109413062A
CN109413062A CN201811232473.9A CN201811232473A CN109413062A CN 109413062 A CN109413062 A CN 109413062A CN 201811232473 A CN201811232473 A CN 201811232473A CN 109413062 A CN109413062 A CN 109413062A
Authority
CN
China
Prior art keywords
host computer
fictitious host
data packet
bandwidth
actual
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811232473.9A
Other languages
Chinese (zh)
Inventor
王春林
叶圣贤
邓赟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Manyun Software Technology Co Ltd
Original Assignee
Jiangsu Manyun Software Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Manyun Software Technology Co Ltd filed Critical Jiangsu Manyun Software Technology Co Ltd
Priority to CN201811232473.9A priority Critical patent/CN109413062A/en
Publication of CN109413062A publication Critical patent/CN109413062A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45504Abstract machines for programme code execution, e.g. Java virtual machine [JVM], interpreters, emulators
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0659Management of faults, events, alarms or notifications using network fault recovery by isolating or reconfiguring faulty entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0876Network utilisation, e.g. volume of load or congestion level
    • H04L43/0894Packet rate
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Environmental & Geological Engineering (AREA)
  • Computer And Data Communications (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of fictitious host computers by the monitor processing method of malicious attack and system, node server, is related to Internet technical field, this method comprises: grab in real time it is all enter direction IP data packet and parse;When reaching default detection interval time, according to the IP data packet after each parsing, the actual data packet size of each fictitious host computer in prefixed time interval is obtained;According to the actual data packet size of each fictitious host computer, the actual bandwidth of each fictitious host computer is calculated;Judge whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;When being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, the network of the fictitious host computer is disconnected.Each fictitious host computer of the invention is realized that a node server monitoring is broken down by the monitoring of malicious attack by corresponding node server oneself, does not interfere with other node servers in distributed system.

Description

Fictitious host computer is by the monitor processing method of malicious attack and system, node server
Technical field
The present invention relates to Internet technical fields more particularly to a kind of fictitious host computer by the monitor processing method of malicious attack And system, node server.
Background technique
With the development of internet technology, distributed publicly-owned cloud cluster physical server (hereinafter referred node server) quilt It is widely used, when in use, multiple public cloud Cloud Servers (hereinafter referred fictitious host computer) is deployed on each node server.
Aiming at the problem that fictitious host computer is by malicious attack, existing settling mode is generally in IDC (Internet Data Center, Internet data center) the core keys position such as network egress of computer room places all sections of special equipment unified monitoring Each fictitious host computer on point server by manual amendment's configuration of routers or pulls out line mode and solves to be attacked after finding the problem The problem of.
This mode has the following problems:
1, special equipment is easy to happen Single Point of Faliure, if breaking down, will affect all fictitious host computers in distributed system Monitoring.
2, due to being centralized processing, processing capacity cannot with the node server administered/fictitious host computer quantity or The increase of network egress bandwidth and linear increase.
3, manpower intervention is needed to handle when encountering attack, it is difficult to accomplish to automate, often will cause certain loss, such as take Business interruption etc..
Summary of the invention
The object of the present invention is to provide a kind of fictitious host computers by the monitor processing method of malicious attack and system, node serve Device will not influence fictitious host computer all in distributed system even if there is Single Point of Faliure.
Technical solution provided by the invention is as follows:
A kind of fictitious host computer is applied to each node serve in distributed system by the monitor processing method of malicious attack Device is deployed at least one fictitious host computer on each node server, this method comprises: grab in real time it is all enter direction IP number According to wrapping and parse;When reaching default detection interval time, according to the IP data packet after each parsing, obtain in prefixed time interval The actual data packet size of each fictitious host computer;According to the actual data packet size of each fictitious host computer, the reality of each fictitious host computer is calculated Border bandwidth;Judge whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;When there are fictitious host computers Actual bandwidth be greater than its corresponding bandwidth upper limit when, disconnect the network of the fictitious host computer.
In the above-mentioned technical solutions, each fictitious host computer by each node server itself monitor thereon a, even if node Server breaks down, and the monitoring on other node servers is unaffected;And it can be with the linear increasing of node server It grows and increases;It is handled when encountering attack without manpower intervention, network, fast response time can be disconnected automatically.
Further, it is described enter direction IP data packet refer to: what the equipment in addition to local node server sended over IP data packet.
In the above-mentioned technical solutions, the IP data packet that each fictitious host computer on local node server is mutually sent out will not be carried out Concern, is concerned only with the IP data packet into direction, reduces the quantity of monitoring, reduces unnecessary performance and occupies.
Further, the IP data packet after every parsing includes: data packet after purpose IP address and parsing;Described works as When reaching default detection interval time, according to the IP data packet after each parsing, each fictitious host computer in prefixed time interval is obtained Actual data packet size specifically: respectively by data packet after the parsing, summarize corresponding virtual to each the destination IP address In data the package list of host;When reaching default detection interval time, from data the package list of each fictitious host computer, statistics is pre- If the actual data packet size of each fictitious host computer in time interval.
In the above-mentioned technical solutions, the actual data packet size for periodically obtaining each fictitious host computer facilitates calculating practical Bandwidth guarantees the real-time of result.
Further, the actual data packet size according to each fictitious host computer, calculates the actual bandwidth of each fictitious host computer Specifically: the actual data packet size of each fictitious host computer is obtained into the reality of each fictitious host computer divided by prefixed time interval respectively Bandwidth.
In the above-mentioned technical solutions, the calculation of actual bandwidth is defined.
Further, further includes: receive the configuration information that management background server is sent, the configuration information includes: each void The bandwidth upper limit of quasi- host.
In the above-mentioned technical solutions, the band of each fictitious host computer on each node server is distributed unitedly by management backstage server The wide upper limit reduces the trouble that engineer is arranged one by one, improves usage experience.
The present invention also provides a kind of node server, it is deployed at least one fictitious host computer on the node server, wraps Include: crawl parsing module, for grab in real time it is all enter direction IP data packet and parse;Acquiring size module is reached for working as When to default detection interval time, according to the IP data packet after each parsing, the reality of each fictitious host computer in prefixed time interval is obtained Border data package size;Bandwidth calculation module calculates each fictitious host computer for the actual data packet size according to each fictitious host computer Actual bandwidth;Bandwidth judgment module, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth respectively Limit;Network disconnects module, for when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, described in disconnection The network of fictitious host computer.
In the above-mentioned technical solutions, each fictitious host computer by each node server itself monitor thereon a, even if node Server breaks down, and the monitoring on other node servers is unaffected;And it can be with the linear increasing of node server It grows and increases;It is handled when encountering attack without manpower intervention, network, fast response time can be disconnected automatically.
Further, the IP data packet after every parsing includes: data packet after purpose IP address and parsing;Acquiring size Module, for according to the IP data packet after each parsing, obtaining each in prefixed time interval when reaching default detection interval time The actual data packet size of fictitious host computer specifically includes: collects submodule, for respectively by data packet after the parsing, summarize to In data the package list of the corresponding fictitious host computer in each the destination IP address;Statistic submodule, between reaching default detection When the time, from data the package list of each fictitious host computer, the actual data packet of each fictitious host computer in prefixed time interval is counted Size.
Further, the bandwidth calculation module calculates each virtual for the actual data packet size according to each fictitious host computer The actual bandwidth of host specifically: the bandwidth calculation module, for the actual data packet size of each fictitious host computer to be removed respectively With prefixed time interval, the actual bandwidth of each fictitious host computer is obtained.
Further, further includes: information receiving module, the configuration information sent for receiving management background server are described Configuration information includes: the bandwidth upper limit of each fictitious host computer.
The present invention also provides a kind of fictitious host computers by the monitoring system of malicious attack, comprising: a management backstage server and Multiple any of the above-described node servers.
Compared with prior art, fictitious host computer of the invention is taken by the monitor processing method of malicious attack and system, node Business device beneficial effect is:
Each fictitious host computer of the invention is by the monitoring of malicious attack by corresponding node server oneself realization, a node Server monitoring breaks down, and does not interfere with other node servers in distributed system;And monitoring programme operate in it is each On node server, when increasing new node server in distributed system, can linear dilatation, management backstage will not be taken The performance of business device has excessive requirement.
Detailed description of the invention
Below by clearly understandable mode, preferred embodiment is described with reference to the drawings, to a kind of fictitious host computer by malice The monitor processing method and system of attack, above-mentioned characteristic, technical characteristic, advantage and its implementation of node server give into One step explanation.
Fig. 1 is fictitious host computer of the present invention by the flow chart of monitor processing method one embodiment of malicious attack;
Fig. 2 is fictitious host computer of the present invention by the flow chart of another embodiment of the monitor processing method of malicious attack;
Fig. 3 is the structural schematic diagram of node server one embodiment of the present invention;
Fig. 4 is the structural schematic diagram of another embodiment of node server of the present invention;
Fig. 5 is fictitious host computer of the present invention by the structural schematic diagram of monitoring system one embodiment of malicious attack.
Drawing reference numeral explanation:
10. grabbing parsing module, 20. acquiring size modules, 21. collects submodules, 22. statistic submodules, 30. bandwidth meters Calculation module, 40. bandwidth judgment modules, 50. networks disconnection module, 60. information receiving modules, 100. management backstage servers, 200. node server.
Specific embodiment
In order to more clearly explain the embodiment of the invention or the technical proposal in the existing technology, Detailed description of the invention will be compareed below A specific embodiment of the invention.It should be evident that drawings in the following description are only some embodiments of the invention, for For those of ordinary skill in the art, without creative efforts, it can also be obtained according to these attached drawings other Attached drawing, and obtain other embodiments.
To make simplified form, part related to the present invention is only schematically shown in each figure, they are not represented Its practical structures as product.In addition, there is identical structure or function in some figures so that simplified form is easy to understand Component only symbolically depicts one of those, or has only marked one of those.Herein, "one" is not only indicated " only this ", can also indicate the situation of " more than one ".
Fig. 1 shows one embodiment of the present of invention, and a kind of fictitious host computer is by the monitor processing method of malicious attack, application Each node server in distributed system is deployed at least one fictitious host computer, this method packet on each node server It includes:
S101 node server (on local target network interface card, according to the network interface card of actual use determine) grab in real time it is all enter The IP data packet in direction simultaneously parses.
Specifically, the IP data packet for entering direction refers to: equipment in addition to local node server (such as: other nodes Server, mobile terminal etc.) the IP data packet that sends over.
After every IP data packet is resolved, obtaining purpose IP address, (i.e. it is virtual main which this data Bao Xiang is sent to Machine) and parsing after data packet.
S102 node server, according to the IP data packet after each parsing, obtains pre- when reaching default detection interval time If the actual data packet size of each fictitious host computer in time interval.
Specifically, node server can periodically detect the actual bandwidth situation of each fictitious host computer, it, can if discovery goes wrong It takes timely measure, prevents malicious external attack.
Default detection interval time and prefixed time interval are arranged according to actual needs, such as: with 1 minute for preset time Interval, 10:01:00,10:02:00,10:03:00 ... they are exactly default detection interval time, when to 10:02:00, node clothes It is engaged in the actual data packet size of each fictitious host computer that device obtains in 10:01:01-10:02:00 this 1 minute.
S103 node server calculates the practical band of each fictitious host computer according to the actual data packet size of each fictitious host computer It is wide.
S104 node server judges whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively.
Specifically, every primary default detection interval time, will calculate the current actual bandwidth of each fictitious host computer, guarantee The real-time of data.
Each fictitious host computer has been set individually the different bandwidth upper limits according to its function, and the bandwidth upper limit of setting guarantees each void The bandwidth that quasi- host uses under normal circumstances can not surmount, and if more than the bandwidth upper limit, then illustrate by malicious attack.
For S105 when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, node server disconnects institute State the network of fictitious host computer.Actual bandwidth is not more than the fictitious host computer of the bandwidth upper limit, then allows its normal communication.
Such as: such as following table one, there is 5 fictitious host computers (A-E) on a node server, actual bandwidth be respectively 40M, 20M, 25M, 30M, 50M, corresponding bandwidth upper limit are 50M, 50M, 50M, 50M, 40M, are found by comparing, fictitious host computer The actual bandwidth of E is greater than its corresponding bandwidth upper limit, and node server disconnects the network of fictitious host computer E, abandons the phase received IP data packet is answered, causes the IP address network of fictitious host computer E unreachable, stops malicious external attack, to keep this node The normal operation of other fictitious host computers on server.
Table one
Fictitious host computer Actual bandwidth The bandwidth upper limit
A 40M 50M
B 20M 50M
C 25M 50M
D 30M 50M
E 50M 40M
In distributed system, each node server is connect with a management backstage server communication respectively, each node serve Device can receive the configuration information of management backstage server transmission, and configuration information includes: the bandwidth upper limit of each fictitious host computer.
The bandwidth upper limit of each fictitious host computer on each node server is uniformly arranged in management backstage server by engineer, by Management backstage server is sent respectively to corresponding node server, realizes unified management, simple, convenient.
Each fictitious host computer is realized by the monitoring of malicious attack by corresponding node server oneself in the present embodiment, a section Point server monitoring is broken down, other node servers in distributed system are not interfered with;And monitoring programme operates in respectively On a node server, when increasing new node server in distributed system, can linear dilatation, will not be to management backstage The performance of server has excessive requirement.
Improvement based on the above embodiment, part same as described above are not repeated to describe, and Fig. 2 shows of the invention another A embodiment, comprising:
S201 (on local target network interface card) grab in real time it is all enter direction IP data packet and parse;Enter the IP number in direction Refer to according to packet: the IP data packet that the equipment in addition to local node server sends over;IP data after every parsing Packet includes: data packet after purpose IP address and parsing.
S202, according to the IP data packet after each parsing, obtains prefixed time interval when reaching default detection interval time The actual data packet size of interior each fictitious host computer specifically:
S212 summarizes respectively by data packet after the parsing to the data of the corresponding fictitious host computer in each the destination IP address In the package list;
S222 is when reaching default detection interval time, from data the package list of each fictitious host computer, counts preset time The actual data packet size of each fictitious host computer in being spaced.
Specifically, the IP data packet for entering direction is real-time acquisition, parsing, and it is aggregated into the corresponding virtual master of purpose IP address Machine under one's name, when reaching default detection interval time, can count the real data of each fictitious host computer within a preset time interval Packet size facilitates and calculates its actual bandwidth.
Such as: the IP data packet for entering direction has been grabbed, data packet 1KB and destination IP after a parsing are obtained after parsing Data packet after the parsing of this 1KB is aggregated into the corresponding fictitious host computer of 218.82.95.213 1 by address 218.82.95.213 Under.
Assuming that fictitious host computer 1 have within a preset time interval 4 parsing after data packet, respectively 1.5KB, 1KB, 1.2KB, 1.1KB obtains the actual data packet of (prefixed time interval) fictitious host computer 1 in 30 seconds when reaching default detection interval time Size is 1.5+1+1.2+1.1=4.8KB.
The actual data packet acquiring size mode of each fictitious host computer is identical, is not described in detail herein.
S203 calculates the actual bandwidth of each fictitious host computer according to the actual data packet size of each fictitious host computer specifically: S213 obtains the practical band of each fictitious host computer respectively by the actual data packet size of each fictitious host computer divided by prefixed time interval It is wide.
Specifically, the unit of actual bandwidth is M/S, therefore, need when calculating by the unit conversion of prefixed time interval For the second.
Such as: prefixed time interval is 1 minute, the actual data packet size of fictitious host computer 2 is 90M, then fictitious host computer 2 Actual bandwidth is 90/60=1.5M/S.The calculating of other fictitious host computers is identical, and details are not described herein.
S204 judges whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;
S205 disconnects the fictitious host computer when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer Network.
Optionally, further includes: receive the configuration information that management background server is sent, the configuration information includes: each void The bandwidth upper limit of quasi- host.
Data packet after the parsing of each fictitious host computer is grabbed, summarized on the node server of the present embodiment in real time, periodically Bandwidth judgement is carried out, whether is effectively realized to each fictitious host computer by the monitoring of malicious attack, if there is situation, is taken arrange in time It applies, protects on this node server not by the normal operation of the fictitious host computer of malicious attack.
Fig. 3 shows the embodiment of a node server of the invention, and it is virtual to be deployed at least one on node server Host, comprising:
Parsing module 10 is grabbed, for (in local target network interface card, determining according to the network interface card of actual use) crawl in real time It is all enter direction IP data packet and parse.
Specifically, the IP data packet for entering direction refers to: equipment in addition to local node server (such as: other nodes Server, mobile terminal etc.) the IP data packet that sends over.
After every IP data packet is resolved, obtaining purpose IP address, (i.e. it is virtual main which this data Bao Xiang is sent to Machine) and parsing after data packet.
Acquiring size module 20, for according to the IP data packet after each parsing, obtaining when reaching default detection interval time Take the actual data packet size of each fictitious host computer in prefixed time interval.
Specifically, node server can periodically detect the actual bandwidth situation of each fictitious host computer, it, can if discovery goes wrong It takes timely measure, prevents malicious external attack.
Default detection interval time and prefixed time interval are arranged according to actual needs, such as: with 1 minute for preset time Interval, 10:01:00,10:02:00,10:03:00 ... they are exactly default detection interval time, when to 10:02:00, node clothes It is engaged in the actual data packet size of each fictitious host computer that device obtains in 10:01:01-10:02:00 this 1 minute.
Bandwidth calculation module 30 calculates the reality of each fictitious host computer for the actual data packet size according to each fictitious host computer Border bandwidth.
Bandwidth judgment module 40, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth respectively Limit.
Specifically, every primary default detection interval time, will calculate the current actual bandwidth of each fictitious host computer, guarantee The real-time of data.
Each fictitious host computer has been set individually the different bandwidth upper limits according to its function, and the bandwidth upper limit of setting guarantees each void The bandwidth that quasi- host uses under normal circumstances can not surmount, and if more than the bandwidth upper limit, then illustrate by malicious attack.
Network disconnect module 50, for when there are the actual bandwidth of fictitious host computer be greater than its corresponding bandwidth upper limit when, Disconnect the network of the fictitious host computer.Actual bandwidth is not more than the fictitious host computer of the bandwidth upper limit, then allows its normal communication.
Specific example refers to corresponding embodiment of the method, and therefore not to repeat here.
In distributed system, each node server is connect with a management backstage server communication respectively, each node serve The information receiving module of device can receive the configuration information of management backstage server transmission, and configuration information includes: each fictitious host computer The bandwidth upper limit.
The bandwidth upper limit of each fictitious host computer on each node server is uniformly arranged in management backstage server by engineer, by Management backstage server is sent respectively to corresponding node server, realizes unified management, simple, convenient.
Each fictitious host computer is realized by the monitoring of malicious attack by corresponding node server oneself in the present embodiment, a section Point server monitoring is broken down, other node devices in distributed system are not interfered with;And monitoring programme operate in it is each On node server, when increasing new node server in distributed system, can linear dilatation, management backstage will not be taken The performance of business device has excessive requirement.
Based on the improvement of above-mentioned node server embodiment, part same as described above is not repeated to describe, and Fig. 4 is shown The embodiment of another node server of the invention, comprising:
Grab parsing module 10, for grabbed in real time (in local target network interface card) it is all enter direction IP data packet and solve Analysis;The IP data packet for entering direction refers to: the IP data packet that the equipment in addition to local node server sends over;Described in every IP data packet after parsing includes: data packet after purpose IP address and parsing.
Acquiring size module 20, for according to the IP data packet after each parsing, obtaining when reaching default detection interval time The actual data packet size of each fictitious host computer in prefixed time interval is taken to specifically include:
Collects submodule 21, for summarizing corresponding to each the destination IP address respectively by data packet after the parsing In data the package list of fictitious host computer;
Statistic submodule 22, for when reaching default detection interval time, from data the package list of each fictitious host computer, Count the actual data packet size of each fictitious host computer in prefixed time interval.
Specifically, the IP data packet for entering direction is real-time acquisition, parsing, and it is aggregated into the corresponding virtual master of purpose IP address Machine under one's name, when reaching default detection interval time, can count the real data of each fictitious host computer within a preset time interval Packet size facilitates and calculates its actual bandwidth.
Such as: the IP data packet for entering direction has been grabbed, data packet 1KB and destination IP after a parsing are obtained after parsing Data packet after the parsing of this 1KB is aggregated into the corresponding fictitious host computer of 218.82.95.213 1 by address 218.82.95.213 Under.
Assuming that fictitious host computer 1 have within a preset time interval 4 parsing after data packet, respectively 1.5KB, 1KB, 1.2KB, 1.1KB obtains the actual data packet of (prefixed time interval) fictitious host computer 1 in 30 seconds when reaching default detection interval time Size is 1.5+1+1.2+1.1=4.8KB.
The actual data packet acquiring size mode of each fictitious host computer is identical, is not described in detail herein.
Bandwidth calculation module 30 calculates the reality of each fictitious host computer for the actual data packet size according to each fictitious host computer Border bandwidth specifically: bandwidth calculation module 30, for respectively by the actual data packet size of each fictitious host computer divided by preset time Interval, obtains the actual bandwidth of each fictitious host computer.
Specifically, the unit of actual bandwidth is M/S, therefore, need when calculating by the unit conversion of prefixed time interval For the second.
Such as: prefixed time interval is 1 minute, the actual data packet size of fictitious host computer 2 is 90M, then fictitious host computer 2 Actual bandwidth is 90/60=1.5M/S.The calculating of other fictitious host computers is identical, and details are not described herein.
Bandwidth judgment module 40, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth respectively Limit;
Network disconnect module 50, for when there are the actual bandwidth of fictitious host computer be greater than its corresponding bandwidth upper limit when, Disconnect the network of the fictitious host computer.
Information receiving module 60, the configuration information sent for receiving management background server, the configuration information include: The bandwidth upper limit of each fictitious host computer.
Data packet after the parsing of each fictitious host computer is grabbed, summarized on the node server of the present embodiment in real time, periodically Bandwidth judgement is carried out, whether is effectively realized to each fictitious host computer by the monitoring of malicious attack, if there is situation, is taken arrange in time It applies, protects on this node server not by the normal operation of the fictitious host computer of malicious attack.
Fig. 5 shows the monitoring system one embodiment of fictitious host computer of the invention by malicious attack, comprising: a management Background server 100 and multiple node servers 200 as described in above-mentioned node server any embodiment.
The corresponding bandwidth upper limit of fictitious host computer on each node server is sent to each node and taken by management backstage server Business device, facilitates each node server voluntarily to realize the monitoring to each fictitious host computer malicious attack.Engineer can be according to each virtual The different business of host process distributes the different bandwidth upper limits.
The bandwidth upper limit of the fictitious host computer of each node server is uniformly configured in the present embodiment by management backstage server, side Just engineer realizes unified management, easy to use, quick.
It should be noted that above-described embodiment can be freely combined as needed.The above is only of the invention preferred Embodiment, it is noted that for those skilled in the art, in the premise for not departing from the principle of the invention Under, several improvements and modifications can also be made, these modifications and embellishments should also be considered as the scope of protection of the present invention.

Claims (10)

1. a kind of fictitious host computer is by the monitor processing method of malicious attack, which is characterized in that be applied to each in distributed system Node server is deployed at least one fictitious host computer on each node server, this method comprises:
Grab in real time it is all enter direction IP data packet and parse;
When reaching default detection interval time, according to the IP data packet after each parsing, obtain each virtual in prefixed time interval The actual data packet size of host;
According to the actual data packet size of each fictitious host computer, the actual bandwidth of each fictitious host computer is calculated;
Judge whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;
When being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer, the network of the fictitious host computer is disconnected.
2. fictitious host computer as described in claim 1 is by the monitor processing method of malicious attack, which is characterized in that it is described enter direction IP data packet refer to: the IP data packet that the equipment in addition to local node server sends over.
3. fictitious host computer as described in claim 1 is by the monitor processing method of malicious attack, it is characterised in that:
IP data packet after every parsing includes: data packet after purpose IP address and parsing;
It is described when reaching default detection interval time, according to the IP data packet after each parsing, obtain in prefixed time interval The actual data packet size of each fictitious host computer specifically:
Respectively by data packet after the parsing, summarize to data the package list of the corresponding fictitious host computer in each the destination IP address In;
When reaching default detection interval time, from data the package list of each fictitious host computer, count each in prefixed time interval The actual data packet size of fictitious host computer.
4. fictitious host computer as described in claim 1 is by the monitor processing method of malicious attack, which is characterized in that the basis The actual data packet size of each fictitious host computer, calculates the actual bandwidth of each fictitious host computer specifically:
The actual data packet size of each fictitious host computer is obtained into the practical band of each fictitious host computer divided by prefixed time interval respectively It is wide.
5. the fictitious host computer as described in claim 1-4 is any is by the monitor processing method of malicious attack, which is characterized in that also wrap It includes:
The configuration information that management background server is sent is received, the configuration information includes: the bandwidth upper limit of each fictitious host computer.
6. a kind of node server, which is characterized in that be deployed at least one fictitious host computer on the node server, comprising:
Grab parsing module, for grab in real time it is all enter direction IP data packet and parse;
Acquiring size module, for according to the IP data packet after each parsing, obtaining default when reaching default detection interval time The actual data packet size of each fictitious host computer in time interval;
Bandwidth calculation module calculates the actual bandwidth of each fictitious host computer for the actual data packet size according to each fictitious host computer;
Bandwidth judgment module, for judging whether the actual bandwidth of each fictitious host computer is greater than its corresponding bandwidth upper limit respectively;
Network disconnects module, for disconnecting institute when being greater than its corresponding bandwidth upper limit there are the actual bandwidth of fictitious host computer State the network of fictitious host computer.
7. node server as claimed in claim 6, which is characterized in that the IP data packet after every parsing includes: mesh IP address and parsing after data packet;
Acquiring size module, for according to the IP data packet after each parsing, obtaining default when reaching default detection interval time The actual data packet size of each fictitious host computer specifically includes in time interval:
Collects submodule, for summarizing virtual master corresponding to each the destination IP address respectively by data packet after the parsing In data the package list of machine;
Statistic submodule, for when reaching default detection interval time, from data the package list of each fictitious host computer, statistics to be pre- If the actual data packet size of each fictitious host computer in time interval.
8. node server as claimed in claim 6, which is characterized in that the bandwidth calculation module, for according to each virtual The actual data packet size of host, calculates the actual bandwidth of each fictitious host computer specifically:
The bandwidth calculation module, for obtaining respectively by the actual data packet size of each fictitious host computer divided by prefixed time interval To the actual bandwidth of each fictitious host computer.
9. such as node server as claimed in claim 6 to 8, which is characterized in that further include:
Information receiving module, the configuration information sent for receiving management background server, the configuration information include: each virtual The bandwidth upper limit of host.
10. a kind of fictitious host computer is by the monitoring system of malicious attack characterized by comprising a management backstage server and more Any node server of a claim 6-9.
CN201811232473.9A 2018-10-22 2018-10-22 Fictitious host computer is by the monitor processing method of malicious attack and system, node server Pending CN109413062A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811232473.9A CN109413062A (en) 2018-10-22 2018-10-22 Fictitious host computer is by the monitor processing method of malicious attack and system, node server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811232473.9A CN109413062A (en) 2018-10-22 2018-10-22 Fictitious host computer is by the monitor processing method of malicious attack and system, node server

Publications (1)

Publication Number Publication Date
CN109413062A true CN109413062A (en) 2019-03-01

Family

ID=65468241

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811232473.9A Pending CN109413062A (en) 2018-10-22 2018-10-22 Fictitious host computer is by the monitor processing method of malicious attack and system, node server

Country Status (1)

Country Link
CN (1) CN109413062A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210133067A1 (en) * 2019-11-04 2021-05-06 Mastercard International Incorporated Monitoring in distributed computing system
US11997190B2 (en) 2019-06-05 2024-05-28 Mastercard International Incorporated Credential management in distributed computing system

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102902599A (en) * 2012-09-17 2013-01-30 华为技术有限公司 Virtual machine internal fault processing method, device and system
CN104063267A (en) * 2014-07-11 2014-09-24 孙强强 Method and system for monitoring flow of virtual machine
US8935692B2 (en) * 2008-05-22 2015-01-13 Red Hat, Inc. Self-management of virtual machines in cloud-based networks
CN107666383A (en) * 2016-07-29 2018-02-06 阿里巴巴集团控股有限公司 Message processing method and device based on HTTPS agreements

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8935692B2 (en) * 2008-05-22 2015-01-13 Red Hat, Inc. Self-management of virtual machines in cloud-based networks
CN102043917A (en) * 2010-12-07 2011-05-04 成都市华为赛门铁克科技有限公司 Distributed denial of service (DDOS) attack protection method, device and system for cloud computing system
CN102902599A (en) * 2012-09-17 2013-01-30 华为技术有限公司 Virtual machine internal fault processing method, device and system
CN104063267A (en) * 2014-07-11 2014-09-24 孙强强 Method and system for monitoring flow of virtual machine
CN107666383A (en) * 2016-07-29 2018-02-06 阿里巴巴集团控股有限公司 Message processing method and device based on HTTPS agreements

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US11997190B2 (en) 2019-06-05 2024-05-28 Mastercard International Incorporated Credential management in distributed computing system
US20210133067A1 (en) * 2019-11-04 2021-05-06 Mastercard International Incorporated Monitoring in distributed computing system

Similar Documents

Publication Publication Date Title
CN1194316C (en) Remote network monitor method for computer network
CN101582807B (en) Method and system based on northbound interface to realize network management
CN102308522B (en) Method, device and system for locating network fault
CN102420699B (en) Equipment number distribution method of digital radio frequency remote system and system thereof
CN103236949A (en) Monitoring method, device and system for server cluster
CN103716173A (en) Storage monitoring system and monitoring alarm issuing method
CN101409654B (en) Method for processing SNMP information in network management system
JP2008271545A (en) Optical fiber network system and managing method thereof
CN105790990A (en) Method and system for monitoring and managing power distribution and utilization communication business
CN102263651A (en) Method for detecting connection state of local end equipment in SNMP (simple network management protocol) network management system (NMS)
CN103795575A (en) Multi-data-centre-oriented system monitoring method
CN101355521B (en) Control method for equalizing load, communication apparatus and communication system
CN109413062A (en) Fictitious host computer is by the monitor processing method of malicious attack and system, node server
CN104301244A (en) Cluster communication system and method of large-scale power distribution network system
CN107070744A (en) Server monitoring method
CN106972975A (en) A kind of server management method and system
CN201985898U (en) Communication service load balancing system
CN106685962B (en) Defense system and method for reflective DDOS attack flow
CN102082677B (en) Alarm information processing method, device and system
CN102404160B (en) Method and system for realizing intelligent monitoring
KR20200007912A (en) Methods, devices, and systems for monitoring data traffic
CN106506072A (en) A kind of collecting method and device
CN105592485A (en) Method for collecting and processing messages in real time based on SNMP
CN110677303A (en) Network management system
CN101753266A (en) Network topology search and error control optimization method of coaxially-loading Ethernet equipment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190301

RJ01 Rejection of invention patent application after publication